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Cyberspace  is  a  relatively  new  dimension  in  national  security  that  could 
eventually  rival  the  land,  sea,  air,  and  space  environments  in  importance.  Since 
cyberspace  is  relatively  new,  existing  international  law  does  not  directly  distinguish 
between  crimes  and  acts  of  war  for  activities  in  cyberspace.  However,  making  the 
distinction  between  crime  and  war  using  existing  law  is  essential  in  determining  which  of 
the  multiple  stakeholders  takes  the  lead  in  preventing  or  responding  to  computer 
network  attacks  on  United  States  government  or  private  networks.  This  paper  analyzes 
six  basic  sources  of  cyberspace  threats  in  terms  of  existing  law  to  determine  which 
threats  and  their  resulting  cyberspace  activities  are  matters  for  law  enforcement  as 
opposed  to  acts  of  war  to  be  pursued  by  the  Department  of  Defense.  Additionally,  the 
paper  describes  the  implications  for  intelligence  collection  and  analysis  and  proposes 
several  imperatives  for  the  intelligence  community  that  result  from  the  legal  status  and 
constraints  existent  in  international  law  interpretations  on  use  of  force  and  armed 
attacks  that  can  generally  be  applied  to  the  cyberspace  environment. 
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Our  Nation’s  growing  dependence  on  cyber  and  information-related 
technologies,  coupled  with  an  increasing  threat  of  malicious  cyber-attacks 
and  loss  of  privacy,  has  given  rise  to  the  need  for  greater  security  of  our 
digital  networks  and  infrastructures.  In  the  Information  Age,  the  very 
technologies  that  empower  us  to  create  and  build  also  empower  those 
who  would  disrupt  and  destroy.^ 

— President  Barack  Obama 

This  statement  by  President  Obama  highlights  current  national  security  concerns 
with  cyberspace,  which  is  “a  global  domain... consisting  of  the  interdependent  network 
of  information  technology  infrastructures,  including  the  Internet,  telecommunications 
networks,  computer  systems,  and  embedded  processors  and  controllers.”^  In  2003, 
President  Bush  published  “The  National  Strategy  to  Secure  Cyberspace”  and,  in  2009, 
President  Obama  directed  a  60-day  review  of  cyber-security  strategy  which  resulted  in  a 
policy  review  document.^  Both  documents  recognized  that  cyberspace  was  a  new 
domain  in  national  security  with  complex  legal  issues  and  network  vulnerabilities, 
especially  in  the  nation’s  critical  infrastructure."*  Since  cyberspace  is  relatively  new, 
existing  international  law  does  not  directly  distinguish  between  crimes  and  acts  of  war 
for  activities  in  cyberspace.  However,  making  the  distinction  between  crime  and  war  is 
essential  in  determining  which  of  the  multiple  stakeholders  takes  the  lead  in  preventing 
or  responding  to  computer  intrusions  on  United  States  (US)  government  or  private 
networks. 

Part  of  the  challenge  in  making  legal  distinctions  is  defining  the  evolving 
terminology  related  to  cyberspace.  This  paper  uses  the  definitions  accepted  in  joint 
doctrine  with  some  minor  modifications.  Computer  intrusions  are  “incident[s]  of 
unauthorized  access  to  data  or  an  automated  information  system”®  or  networks  by  state 


and  non-state  actors.  Computer  intrusions  take  two  forms:  computer  network 
exploitation  and  computer  network  attack.  Computer  network  exploitation  (CNE)  is 
“enabling  operations  and  intelligence  collection  capabilities  conducted  through  the  use 
of  computer  networks  to  gather  data  from  target  or  adversary  automated  information 
systems  or  networks.”®  Computer  network  attacks  (CNA)  are  “actions  taken  through  the 
use  of  computer  networks  to  disrupt,  deny,  degrade,  or  destroy  information  resident  in 
computers  and  computer  networks,  or  the  computers  and  networks  themselves.”^  While 
CNE  and  CNA  tools  are  similar,  CNE  is  usually  done  with  the  intent  for  espionage,  while 
CNA  is  done  for  profit,  sabotage,  or  other  harm.® 

According  to  General  Keith  Alexander,  commander  of  US  Cyber  Command 
(USCYBERCOM),  “[t]here  is  a  real  probability,  that  in  the  future,  this  country  will  get  hit 
with  a  destructive  [cyber]  attack,  and  we  need  to  be  ready  for  it.”®  Imagine  the  following 
scenario  as  an  example  of  such  an  attack.  It  is  2012  and  the  United  States  has  just 
fallen  victim  to  a  cyber-worm  designed  to  precisely  target  the  supervisory  control  and 
data  acquisition  (SCADA)  systems  of  nuclear  power  facilities  and  cause  physical  harm 
by  shutting  down  reactor  cooling  systems.  The  worm  infected  20  nuclear  facilities,  with 
two  of  the  facilities  experiencing  temporary  cooling  system  failures,  resulting  in  15 
deaths  and  80  injuries  before  the  damage  could  be  contained.  Attribution  has  been 
elusive,  with  the  worms  being  traced  back  to  computers  in  the  United  States,  India,  and 
Pakistan,  but  intelligence  officials  suspect  Iran  of  being  behind  the  worm  as  retaliation 
for  a  2010  CNA  against  Iranian  nuclear  facility  centrifuges. 

A  post-attack  intelligence  review  by  the  Office  of  the  Director  of  National 
Intelligence  (ODNI)  revealed  several  data  points  that  were  never  shared  nor  connected. 
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The  Central  Intelligence  Agency  (CIA)  estimated  Iran  had  intent  but  insufficient 
capability  for  CNA.  The  National  Security  Agency  (NSA)  conducted  network  analysis 
that  showed  contacts  between  Iranian  intelligence  officials  and  a  Russian  hacker  web¬ 
site  also  associated  with  terrorist  and  criminal  groups.  The  Department  of  State  (DoS) 
had  a  human  intelligence  (HUMINT)  report  of  a  highly  skilled  Russian  hacker  traveling 
to  Iran  two  weeks  prior  to  the  attack.  At  this  point  in  time,  USCYBERCOM  and  the 
federal  government  remain  unclear  on  how  to  respond  since  attribution  and  the  legal 
status  of  the  attack,  whether  it  was  a  criminal  act  or  an  act  of  war,  remain  unclear. 

This  paper  examines  the  law  concerning  cyberspace  and  analyzes  six  basic 
sources  of  cyberspace  threats  in  order  to  propose  which  threats  and  their  resulting 
computer  intrusions  are  criminal  as  opposed  to  acts  of  war.  It  then  describes  the 
implications  for  intelligence  collection  and  analysis  that  result  from  this  legal  and  threat 
environment  in  order  to  propose  several  imperatives  for  the  intelligence  community  that 
could  help  prevent  scenarios  like  the  one  described  above. 

Existing  Law  and  Stakeholders  Regarding  Cyberspace  Activities 

There  are  differing  opinions  on  the  applicability  of  current  international  law  to 
cyberspace.  Some  scholars  and  lawyers  argue  that  there  are  “no  common,  codified, 
legal  standards  regarding  cyber  aggression”  and  “current  international  law  is  not  well 
suited  for  cyber-attacks. Others  argue  “that  a  considerable  body  of  international  law 
applies  to  the  use  offeree  by  states  in  cyberspace.”^  ^  One  has  only  to  apply  the  general 
international  laws  on  the  use  of  force  by  analogy  to  determine  whether  a  computer 
intrusion  is  “simply  a  crime  committed  by  a  non-state  actor  or  an  unlawful  use  of  force 
by  a  state  under  international  law.”^^  Advocates  of  the  need  for  new  international  laws  to 
directly  address  computer  intrusions  argue  that  applying  law  by  analogy  to  cyberspace 
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is  currently  necessary  but  flawed  for  several  reasons,  to  include:  translation  problems; 
exclusion  of  non-state  actors;  and  applicability  of  cyberspace  to  multiple  overlapping 
legal  regimes. This  paper  uses  the  law  by  analogy  argument  since  it  appears  to  be  the 
most  generally  accepted  method  despite  its  limitations. 

So  what  international  law  is  applicable  by  analogy?  What  constitutes  an  act  of 
war  in  cyberspace?  Making  a  legal  distinction  between  crime  and  war  is  complicated 
due  to  the  lack  of  accepted  international  definitions  for  key  terms  of  aggression  such  as; 
act  of  war,  armed  conflict,  use  of  force,  and  armed  attack.  International  laws  and 
treaties,  to  include  the  United  Nations  (UN)  Charter,  do  not  clearly  define  these  terms  of 
aggression. In  general,  an  act  of  war  is  any  use  of  force  occurring  in  the  course  of 
armed  conflict.  However,  to  apply  this  to  cyberspace  requires  further  examination  of 
what  international  law  states  about  the  use  of  force,  armed  attack,  and  armed  conflict. 

Article  2(4)  of  the  UN  Charter  prohibits  the  “use  offeree”  against  another  state. 
For  the  purposes  of  this  paper,  use  offeree  is  defined  as  “a  state  activity  that  threatens 
the  territorial  integrity  or  political  independence  of  another  state. Customary 
international  law  prohibits  a  state  from  using  force  for  retaliatory  or  punitive  actions  but 
allows  using  force  in  self-defense  to  deter  future  aggression.  Article  51  of  the  UN 
Charter  recognizes  this  right  of  a  state  to  self-defense  against  an  “armed  attack.”^^  For 
the  purposes  of  this  paper,  armed  attack  is  defined  as  “a  use  offeree  that  rises  to  a 
certain  scope,  duration,  and  intensity  threshold.”^®  UN  General  Assembly  Resolution 
3314  provides  examples  of  aggression  that  constitute  armed  attack,  but  they  are 
traditional  lethal  examples  as  opposed  to  the  non-traditional  activities  of  cyberspace. 
According  to  Common  Article  2  of  the  four  Geneva  Conventions  of  1949,  armed  conflict 
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exists  upon:  formal  declaration  of  war;  occupation  of  a  state;  or  any  other  armed  conflict 
between  states  even  if  war  was  not  formally  declared.^® 

To  summarize  and  apply  these  terms,  short  of  a  formal  declaration  of  war  or 
occupation,  armed  conflict  exists  when  one  state  conducts  a  use  of  force  against 
another  state  which  is  of  a  scope,  duration,  and  intensity  that  qualifies  it  as  an  armed 
attack.^^  Essentially,  a  use  of  force  that  meets  the  threshold  of  an  armed  attack  qualifies 
as  armed  conflict  and,  under  Article  51 ,  triggers  the  right  to  self-defense.^^  Using  law  by 
analogy,  a  computer  intrusion  by  one  state  on  another  state’s  computer  network  may 
qualify  as  a  use  of  force  if  it  threatens  the  territorial  integrity  or  political  independence  of 
the  state.  If  a  state  determines  that  another  state’s  computer  intrusion  meets  the 
threshold  of  an  armed  attack,  the  intrusion  could  also  be  considered  armed  conflict  and 
an  act  of  war. 

The  key  distinction  is  the  scope,  duration,  and  intensity  threshold  for  an  armed 
attack.  There  is  a  requirement  for  legal  analysis  on  a  case  by  case  basis  to  determine 
which  computer  intrusions  meet  the  threshold  for  an  armed  attack.^^  Essentially,  lawyers 
must  study  state  practice  and  international  precedent  to  make  legal  determinations, 
applying  existing  law  by  analogy.  In  order  to  determine  whether  a  state’s  computer 
intrusion  is  an  act  of  war,  there  is  a  requirement  for  a  legal  interpretation  that  concludes 
“an  activity  not  traditionally  considered  an  armed  attack  [computer  intrusion]  is  used  in 
such  a  way  that  it  becomes  tantamount  in  effect  to  an  armed  attack. There  are 
several  proposed  frameworks  that  lawyers  can  use  to  determine  when  a  computer 
intrusion  equates  to  armed  attack,  to  include:  the  Schmitt  framework,  which  applies 
seven  factors  beyond  scope,  duration,  and  intensity;  and  the  Libicki  framework,  which 
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categorizes  armed  attacks  into  groupings  which  are  universally,  multilaterally,  or 
unilaterally  accepted  within  the  international  community.^® 

Regardless  of  the  framework  applied,  it  seems  to  be  generally  accepted  through 
law  by  analogy  that  a  CNA  conducted  by  a  state  which  causes  physical  damage  to 
another  state’s  assets  would  meet  the  threshold  for  unlawful  armed  attack  unless 
conducted  in  self-defense  or  as  part  of  a  UN-sanctioned  operation.^®  CNA  used  in  self- 
defense  under  UN  Charter  Article  51 ,  or  as  part  of  a  UN-sanctioned  operation,  is  legal 
as  long  as  the  principles  of  the  Law  of  Armed  Conflict  are  followed.^^  However,  even  if  in 
self-defense,  a  CNA  conducted  by  a  state  with  the  intent  to  cause  physical  damage  to 
“works  or  installations  containing  dangerous  forces,  namely  dams,  dikes  and  nuclear 
electrical  generating  stations,”  would  appear  to  be  an  unlawful  armed  attack  under  the 
1977  Geneva  Protocol  I,  Article  56.^®  For  example,  the  CNA  on  US  nuclear  power  plants 
described  in  the  opening  scenario  would  be  considered  an  unlawful  armed  attack  if  it 
could  be  attributed  to  a  state. 

At  this  point,  it  is  important  to  note  two  additional  limitations  in  international  law. 
First,  CNE  would  not  generally  meet  the  standard  of  a  use  of  force  or  an  armed  attack. 

In  1960,  the  UN  Security  Council  concluded  that  a  U-2  reconnaissance  flight  by  the 
United  States  over  Soviet  territory  was  not  a  use  of  force  under  UN  Charter  Article  2(4). 
Using  this  precedent  by  analogy,  the  “virtual  penetration  of  a  state’s  cyberspace”  for 
reconnaissance  (i.e.  CNE)  also  does  not  constitute  a  use  of  force  under  UN  Charter 
Article  2(4).^®  While  CNE  and  espionage  do  not  violate  international  law,  they  could  be 
prosecuted  as  criminal  activity  if  the  domestic  law  of  the  state  in  which  it  occurs  outlaws 
such  activity.®®  Second,  international  law  and  treaties,  to  include  the  UN  Charter,  apply 
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to  state-on-state  conduct  and  exclude  non-state  actors.  Therefore,  in  order  to  make  a 
legal  determination  that  a  CNA  qualifies  as  an  armed  attack,  it  must  be  attributed  to  a 
state.  As  was  evident  in  the  example  scenario,  attribution  for  computer  intrusions  is 
extremely  difficult;  even  if  attributed  to  an  individual,  proving  that  individual  was  acting  in 
an  official  capacity  for  a  state  is  doubly  difficult.^^ 

As  noted  above,  CNE  and  the  computer  intrusions  of  non-state  actors,  to  include 
CNA,  could  constitute  crimes  rather  than  acts  of  war,  unless  a  UN  resolution  or  other 
international  convention  were  to  specifically  sanction  military  operations  against  non¬ 
state  actors  conducting  CNA.  CNE  and  the  computer  intrusions  of  non-state  actors  are 
customarily  left  to  domestic  law  enforcement  agencies  or  to  states  for  resolution.  A 
state’s  response  against  a  non-state  actor  is  a  “law  enforcement  issue  that  must,  at 
least  at  present,  be  principally  addressed  through  cooperative  bilateral  and  multilateral 
extradition  and  mutual  legal  assistance  treaties. 

Domestically,  the  Computer  Fraud  and  Abuse  Act  (CFAA)  is  the  principal  US  law 
addressing  Internet-related  computer  crime.^^  The  CFAA  prohibits  unauthorized  access 
to  a  protected  computer  or  gaining  and  using  information  in  a  manner  exceeding 
authorized  access.  Robert  Morris,  a  Cornell  University  computer  science  student,  was 
the  first  person  convicted  under  this  act  in  1 990  when  he  released  a  virus  that  affected 
hundreds  of  educational  and  military  computers  during  the  early  stages  of  the  Internet.^'^ 
Additionally,  the  United  States  has  indicted  criminals  for  using,  maintaining,  and  selling 
botnets,  which  are  networks  of  robotic  internet  devices  that  control  other  computers 
without  the  user’s  knowledge. The  use  of  botnets  can  be  prosecuted  as  civil  trespass 
but  the  plaintiff  must  establish  damages  as  well  as  trespass  in  cyberspace.^®  There  are 
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also  copyright  laws  protecting  companies  from  cyber-theft.  The  Digital  Millennium 
Copyright  Act  protects  companies  that  encrypt  trade  secrets  from  hackers  who  would  try 
to  circumvent  the  company’s  encryption  or  digital  locks. 

These  US  laws  apply  to  both  US  and  foreign  citizens,  but  prosecution  of  foreign 
citizens  is  more  difficult  because  it  requires  recognition  of  the  law  and  the  right  to 
extradition  by  another  state.  Prosecution  of  cyber-crimes  that  cross  state  borders, 
enforcement  of  national  criminal  judgments,  and  extradition  of  cyberspace  criminals  are 
complicated  since  “there  is  no  international  treaty  for  enforcement  of  judgments  or  any 
Convention  providing  for  extraterritorial  Internet  enforcement.’’^®  Some  nations  have 
weak  governments,  security  forces,  and/or  law  enforcement  agencies  and  would  have 
difficulty  capturing  and  extraditing  criminals. 

Most  nations  have  different  laws  and  some  nations  have  no  laws  regarding 
cyberspace  activities.  For  example,  France  made  it  a  crime  for  an  internet  service 
provider  (ISP)  to  “give  access  to  or  possess  Nazi  memorabilia”  while  China  required 
Yahoo  to  “filter  materials  critical  of  the  Communist  party  regime  as  a  condition  of  access 
to  Chinese  markets.”®®  Both  of  these  national  rulings  are  at  odds  with  US  rulings  on  First 
Amendment  rights  and  cause  conflicts  in  Internet  governance  since  many  of  the  ISPs 
are  American-based.  An  Israeli  citizen  who  hacked  into  the  Rome  Lab,  a  US  military 
research  and  development  laboratory,  multiple  times  in  1994  was  not  prosecuted 
because  there  were  no  Israeli  laws  recognizing  this  as  a  crime.'^®  In  2000,  a  Filipino 
hacker  was  not  prosecuted  for  his  “I  Love  You”  virus,  which  infected  over  60  million 
computers  worldwide,  again  because  there  were  no  laws  against  this  cyberspace 
activity  in  the  Philippines."^^ 
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There  has  been  some  recent  international  progress  in  trying  to  address  these 
difficulties  in  accountability  for  cyber-crimes.  Thirty-three  countries,  including  the  United 
States,  have  signed  the  Council  of  Europe’s  Convention  on  Cybercrime  (CoECC) 
published  in  November  2001  The  Convention  “seeks  to  better  combat  cybercrime  by 
harmonizing  national  laws,  improving  investigative  abilities,  and  boosting  international 
cooperation.”'^^  Critics  of  the  Convention  point  out,  however,  that  it  will  be  ineffective  as 
long  as  the  signatories  do  not  include  nations  where  criminals  and  terrorists  operate 
freely.'^'^  The  UN  Secretariat  has  also  recently  established  a  Working  Group  on  Internet 
Governance  (WGIG)  to  study  and  make  proposals  for  Global  Internet  Governance.'^® 

A  final  complicating  factor  in  this  examination  of  when  cyberspace  activities 
qualify  as  crime  versus  war  relates  to  the  key  stakeholders  involved.  There  are  many 
stakeholders  with  varied  and  often  competing  interests  and  authorities.  This  further 
complicates  the  environment  and  makes  the  formulation  of  consistent,  unified 
responses  against  cyberspace  activities  challenging. 

Internationally,  key  stakeholders  include:  multilateral  cooperative  organizations 
like  the  UN,  CoECC,  North  Atlantic  Treaty  Organization  (NATO),  and  International 
Criminal  Police  Organization  (INTERPOL);  non-governmental  organizations  (NGO); 
states;  and  non-state  actors.  Through  its  Security  Council  and  General  Assembly 
resolutions,  the  UN  may  sanction  a  state  or  non-state  actor  for  a  CNA  that  constitutes 
an  armed  attack  or  authorize  military  actions  against  state  and  non-state  actors 
conducting  CNA.  NATO  also  has  the  authority  to  determine  when  a  CNA  on  one  of  its 
member  states  constitutes  an  armed  attack.  For  example,  in  2007  NATO  determined  a 
CNA  against  Estonia  did  not  trigger  Chapter  5  thresholds  requiring  a  NATO  response 
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against  an  attack  on  a  NATO  member/®  INTERPOL  and  the  CoECC  are  focused  on 
cooperation  against  cyber-crime.  Some  NGOs  are  very  focused  on  privacy  rights  and 
argue  against  cyber-security  measures  that  improve  attribution  methods  on  the  Internet. 
State  actors  have  varied  interests;  some  want  to  advance  cooperation  against  computer 
intrusions  and  cyber-crime,  while  others  tend  to  exploit  difficulties  in  attribution  by 
employing  covert  non-state  actors  to  perform  their  CNE  and  CNA.  Non-state  actors  can 
act  individually  or  in  support  of  states  when  conducting  computer  intrusions. 

Domestically,  key  stakeholders  include;  agencies  of  the  Executive  Branch  such 
as  the  National  Security  Council  (NSC),  the  Department  of  Defense  (DoD),  the 
Department  of  Homeland  Security  (DHS),  the  Secret  Service,  the  Department  of  Justice 
(DoJ),  the  Federal  Bureau  of  Investigation  (FBI),  the  Federal  Trade  Commission,  DoS, 
ODNI,  CIA,  NSA,  and  USCYBERCOM;  members  of  Congress;  NGOs  and  lobbyists; 
private  companies;  and  governments  and  courts  from  federal  to  local  level.  The  NSC 
advises  the  president  on  policy  decisions,  while  Congress,  state,  and  local  governments 
pass  laws  related  to  cyberspace  activities.  Courts  make  rulings  on  law  regarding 
cyberspace  activities  at  all  levels.  NGOs  and  lobbyists  have  varied  interests  from 
advocating  privacy  rights  to  increased  federal  regulation  of  cyber-security.  Private 
companies  own  85%  of  the  nation’s  infrastructure,  including  the  digital  infrastructure, 
and  are  therefore  invested  in  their  own  cyber-security. 

Based  on  law  and  policy,  acts  of  war  in  cyberspace  involve  DoD,  ODNI,  CIA, 
NSA,  USCYBERCOM  and  potentially  DHS,  while  cyber-crimes  involve  DHS,  Secret 
Service,  DoJ,  FBI,  and  the  Federal  Trade  Commission."^®  DHS  is  responsible  for 
focusing  on  protection  of  government  agency  and  private  information  systems  to  include 
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reducing  and  consolidating  external  access  points,  deploying  passive  network  sensors, 
and  defining  public  and  private  partnerships.  DHS  is  also  the  focal  point  for  efforts  to 
protect  the  nation’s  computer-reliant  critical  infrastructure.'*®  DoD  is  responsible  for 
protecting  military  information  systems  to  include  monitoring,  increasing  security  of 
classified  networks,  and  deploying  intrusion  prevention  systems.  ODNI  is  responsible 
for  monitoring  intelligence  community  information  systems  and  other  intelligence-related 
activities,  including  the  development  of  a  government  wide  cyberspace 
counterintelligence  (Cl)  plan.®° 

Sources  of  Threats  and  Their  Status  Under  Law 

Having  examined  the  law  on  cyberspace  and  key  stakeholders,  this  paper  will 
now  describe  the  basic  threats  in  cyberspace  and  their  general  status  under  the  law. 
There  are  six  basic  sources  of  threats:  foreign  nations,  criminal  groups,  hackers, 
hacktivists,  disgruntled  insiders,  and  terrorists.^* 

Foreign  nations  would  appear  to  have  the  most  robust  cyberspace  means  and 
capabilities  at  this  time.  It  is  estimated  that  “over  120  countries  already  have  or  are 
developing  computer  attack  capabilities."®®  Most  of  these  countries  are  focused  on  CNE 
or  using  cyberspace  tools  as  part  of  their  intelligence  and  espionage  activities.®® 
According  to  the  ODNI,  the  majority  of  computer  intrusions  originate  in  Russia  and 
China,  and  both  nations  have  large  efforts  focused  on  CNE  and  CNA.®'* 

The  CNE  activities  of  foreign  nations  fall  into  the  criminal  category  under  existing 
law  and  are  more  common  than  CNA.  CNA  by  foreign  nations  is  generally  accepted  as 
the  most  dangerous  threat  to  US  computer  networks.®®  As  previously  discussed,  CNA 
could  rise  to  the  level  of  an  armed  attack  based  on  scope,  duration,  and  intensity. 
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Essentially,  a  CNA  that  causes  physical  damage  could  equate  to  an  armed  attack.  The 
primary  difficulty,  however,  is  attributing  that  armed  attack  back  to  a  foreign  nation. 

There  are  several  historical  examples  of  CNA  believed  to  have  been  launched  by 
foreign  nations.  In  1999,  the  Indonesian  government  was  generally  blamed  for  what 
might  have  been  the  first  reported  state-on-state  CNA  when  non-governmental 
computers  in  Ireland  were  attacked,  bringing  down  the  East  Timor  virtual  country 
domain  and  internet  service  to  over  3000  customers.^®  In  April  and  May  of  2007,  Estonia 
was  the  target  of  the  “first-ever  coordinated  cyber-attack  against  an  entire  country.”®^ 
Estonia’s  digital  infrastructure  suffered  extensive  distributed  denial  of  service  (DDOS) 
and  botnet  attacks  that  adversely  effected  its  banking  and  government  operations  and 
denied  basic  access  to  ISPs.®®  In  August  2008,  the  country  of  Georgia  experienced 
extensive  CNA  used  in  conjunction  with  military  attacks.  As  Russian  troops  were 
moving  into  South  Ossetia,  Georgia’s  digital  infrastructure  and  government  web  sites 
experienced  DDOS  attacks,  web  defacement,  and  disinformation  and  propaganda 
attacks  intended  to  paralyze  the  government  response.®®  In  June  2010,  several 
countries  discovered  the  first  precision  CNA  intended  to  cause  physical  harm  to 
infrastructure  in  the  form  of  a  cyber-worm  known  as  “Stuxnet.”  This  cyber-worm 
targeted,  infiltrated,  and  took  control  of  specific  SCADA  software  “used  to  run  chemical 
plants  and  factories  as  well  as  electric  power  plants  and  transmission  systems 
worldwide.’’®®  The  worm  was  estimated  to  have  infected  at  least  45,000  industrial  control 
systems  worldwide  and  may  have  been  specifically  designed  to  target  centrifuges  at  the 
Bushehr  Iranian  nuclear  facility.®^ 
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Debate  continues  in  each  case  over  whether  there  was  sufficient  physical 
damage  and/or  attribution  to  qualify  the  CNA  as  armed  attacks  by  a  foreign  nation.®^ 
Attribution  of  a  CNA  to  a  foreign  government  is  complicated  because  it  is  difficult  to 
trace  the  connection  between  an  individual  hacker  and  a  government.  Furthermore, 
some  nations  may  attempt  to  use  an  IP  address  that  attributes  the  CNA  to  another 
nation  or  individual  (i.e.,  they  engage  in  false  flag  operations).®^ 

Criminal  groups,  by  the  nature  of  their  intent,  fall  into  the  category  of  cyber-crime. 
These  groups  conduct  computer  intrusions  for  profit,  and  cyber-crime  will  continue  to 
expand  as  long  as  it  remains  lucrative.®"*  Criminal  groups  target  personally  identifiable 
information  (PM)  on  individuals  and  proprietary  information  from  private  companies  in 
order  to  gain  unauthorized  access  to  credit  and  bank  accounts,  run  scams,  or  sell 
information  to  the  highest  bidder.  In  some  cases,  these  groups  seize  SCADA  controls 
for  extortion,  forcing  the  private  company  to  pay  a  fee  to  regain  control  of  important 
functions.®®  Criminal  groups  also  market  and  sell  the  tools  for  crime  like  botnets,  spiders, 
and  zombie  computers.®® 

Hackers  comprise  a  wide  category  of  individuals  who  often  conduct  CNE  and 
CNA  for  thrills  or  bragging  rights.®^  In  the  past,  hackers  required  exceptional  skill,  but 
the  proliferation  of  attack  scripts  and  protocols  from  the  Internet  available  for  download 
on  hacker  websites  has  made  hacking  easier.  In  general,  “attack  tools  have  become 
more  sophisticated  and  easier  to  use.”®®  Hackers  generally  fall  into  the  category  of 
cyber-crime  and  are  increasingly  co-opted  and  paid  for  by  criminal  groups  for  their 
services.  Hackers  can  also  be  co-opted  by  foreign  intelligence  services  to  perform  CNE 
or  CNA  when  a  nation  wants  to  prevent  attribution.  It  is  feasible  that  a  hacker  could 
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conduct  a  CNA  that  rises  to  the  level  of  an  armed  attack,  but  he  would  have  to  be 
pursued  on  a  criminal  basis  unless  attribution  to  a  foreign  nation  could  be  proved.  This 
would  be  the  case  from  the  opening  scenario  if  the  CNA  were  attributed  to  the  Russian 
hacker  and  not  the  Iranian  government. 

There  are  hundreds  of  hackers  conducting  computer  intrusions  each  day.  The 
previously  cited  example  of  Robert  Morris  is  a  typical  example  of  a  hacker.  In  February 
1998,  two  California  teenagers  and  an  Israeli  teenager  conducted  CNA  on  DoD 
computers  in  intrusions  known  as  “Solar  Sunrise.”®®  In  2003,  a  hacker  used  the 
“Slammer”  worm  to  corrupt  the  safety  monitoring  systems  of  a  nuclear  power  plant  in 
Ohio  for  five  hours  via  a  backdoor  through  the  Internet.^®  Another  hacker’s  worm,  known 
as  “MS  Blast”  or  “Blaster,”  was  reportedly  linked  to  the  major  power  outage  that  hit  the 
northeast  United  States  in  August  2003,  where  it  “crippled  key  detection  systems  and 
delayed  response  during  a  critical  time.”^^  While  these  computer  intrusions  by  hackers 
took  significant  money,  time,  and  other  resources  to  fix,  none  rose  to  the  level  of  an 
armed  attack. 

Hacktivists  are  individuals  or  groups  who  conduct  politically  motivated  computer 
intrusions.  They  normally  use  DDOS  attacks  or  modify  publicly  accessible  web  pages  or 
e-mail  servers  to  send  a  political  message.^®  Hacktivists  fall  into  the  criminal  category. 
Russian  hacktivists,  incensed  by  Estonia’s  plan  to  move  a  Russian  soldier  monument, 
were  involved  in  the  CNA  on  Estonia  in  2007.  In  the  case  of  Estonia,  the  energized 
hacktivists  made  attribution  for  the  attacks  even  more  difficult  than  usual,  possibly 
providing  an  effective  smokescreen  for  Russian  government  operatives.^® 
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Disgruntled  insiders  can  work  from  within  an  organization  to  conduct  computer 
intrusions.  Their  existing  access  and  knowledge  of  the  computer  network  makes  it 
easier  to  cause  damage  to  or  steal  data  from  the  system. Insiders  are  often  involved  in 
criminal  activity  for  profit,  whether  directly  through  embezzlement  or  indirectly  by 
passing  information  to  criminal  groups.  For  example,  in  2001 ,  two  accountants  working 
for  Cisco  Systems  used  their  access  to  company  computer  systems  to  “illegally  issue 
almost  $8  million  in  Cisco  stock  to  themselves. Insiders,  even  if  recruited  by  a  foreign 
intelligence  service  to  conduct  espionage,  fall  into  the  criminal  category. 

Like  hacktivists,  terrorists  are  also  individuals  or  groups  who  conduct  politically 
motivated  computer  intrusions.  The  main  difference,  however,  is  the  terrorist  intent  for 
violence.  US  law  defines  terrorism  as  “premeditated,  politically  motivated  violence 
perpetrated  against  noncombatant  targets  by  sub-national  groups  or  clandestine 
agents.”^®  As  previously  discussed,  since  international  laws,  treaties,  and  conventions 
generally  only  recognize  states,  terrorists  normally  fall  into  the  criminal  category  unless 
a  specific  UN  resolution  has  sanctioned  military  operations  against  a  terrorist  group. 

Cyber-terrorism  is  “the  use  of  computers  as  weapons,  or  as  targets”  by 
terrorists. Terrorists  use  the  Internet  extensively,  but  to  this  point  “not  for  offensive 
actions.”^®  Most  computer  intrusions  by  terrorists  fall  in  the  realm  of  CNE  intended  to 
gather  information  for  potential  future  lethal  attacks.  To  date,  there  has  been  no 
published  linkage  of  a  CNA  to  a  terrorist  group.^®  In  general,  it  would  be  very  difficult  to 
label  a  CNA  as  cyber-terrorism  because  of  the  difficulty  in  determining  attribution  and 
intent.®° 


15 


General  Alexander  does  not  see  terrorist  groups  as  a  major  CNA  threat  currently, 
but  that  could  change.®^  Nations  on  the  DoS  list  of  states  that  sponsor  terrorism 
generated  less  than  1%  of  all  reported  computer  intrusions  in  2002.®^  Al  Qaeda  has 
used  the  Internet  extensively  to  network  its  strategic  communications  to  other  terrorist 
groups  and  recruit  disciples.  Furthermore,  Al  Qaeda  computers  captured  in  Afghanistan 
had  extensive  data  on  dam  controls  and  methods  to  potentially  cause  catastrophic 
failure  of  infrastructure  control  systems,  showing  planning  and  intent  for  future  terrorist 
attacks.®^  Although  terrorist  groups  might  not  have  extensive  CNA  capabilities  currently, 
they  could  obtain  the  required  expertise  in  several  ways:  sending  true  believers  to 
cyberspace  schooling;  trying  to  convert  hackers  to  their  cause;  or  paying  criminal 
groups  or  hackers  to  execute  their  attacks  by  proxy.®"^  By  coordinating  a  proxy  CNA  with 
a  physical  terrorist  attack,  terrorist  groups  could  feasibly  degrade  a  state’s  ability  to 
respond. 

Implications  for  the  Intelligence  Community 

Leaders,  policymakers,  and  other  stakeholders  have  many  complex  decisions  to 
make  regarding  cyberspace.  This  section  will  highlight  two  that  evolve  from  the 
preceding  analysis  of  cyber  law  and  sources  of  threats.  First,  they  must  decide  what 
level  of  risk  is  acceptable  in  cyber-security  based  on  the  threat.  Second,  they  must 
determine  how  to  respond  to  CNE  and  CNA.  A  key  role  of  the  intelligence  community  is 
to  facilitate  these  decisions.  Flaving  examined  existing  law,  the  sources  of  threats,  and 
their  status  under  law,  what  are  the  implications  for  the  intelligence  community  in 
fulfilling  this  role?  This  paper  proposes  five  imperatives  that  evolve  from  the  previous 
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analysis  and  which  are  important  for  the  intelligence  community  to  internalize  in  order  to 
support  these  key  decisions. 

The  first  imperative  is  that  legal  advisors  must  be  embedded  in  intelligence 
organizations  undertaking  computer  network  operations.  As  previously  stated,  computer 
intrusions  often  fall  into  a  gray  area  between  crime  and  war  requiring  a  case  by  case 
legal  analysis  using  law  by  analogy.  Intelligence  organizations  conducting  cyberspace 
activities  need  lawyers  for  several  purposes. 

First,  the  lawyers  can  assist  with  legal  determinations  on  which  computer 
intrusions  meet  the  threshold  for  an  armed  attack.  These  computer  intrusions  will 
generally  fall  under  the  purview  of  DoD  or  the  CIA  who  make  recommendations  to  the 
president  and  then  execute  appropriate  foreign  intelligence  collection,  covert  action,  or 
military  responses.  Computer  intrusions  that  do  not  meet  the  armed  attack  threshold 
may  be  passed  to  the  DoJ,  DHS,  or  other  domestic  stakeholders  for  action  if  they 
qualify  as  crimes  or  relate  to  domestic  terrorism  or  security  concerns. 

Second,  legal  expertise  on  intelligence  law  is  necessary  to  ensure  intelligence 
agencies  are  operating  legally  within  their  established  authorities.  For  example,  DoD 
intelligence  agencies  have  limitations  on  the  collection,  retention,  and  dissemination  of 
information  on  US  persons  as  established  by  US  Code  Title  50  Chapter  36,  Executive 
Order  12333,  and  DoD  Directive  5240.1 -R.  Agencies  with  domestic  intelligence 
authorities  have  corresponding  restrictions  on  foreign  intelligence  collection,  retention, 
and  dissemination.  There  are  additional  limitations  on  authorities  and  collection 
methods  existing  in  various  other  domestic  intelligence  laws  and  policies  such  as:  the 
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Foreign  Intelligence  Surveillance  Act,  Electronic  Communication  Privacy  Act,  the  Patriot 
Act,  Stored  Communication  Act,  and  Economic  Espionage  Act.®® 

Third,  any  organization  that  will  conduct  CNA  will  require  legal  expertise  on  the 
Laws  of  Armed  Conflict  (LOAC)  to  understand  how  the  principles  of  military  necessity, 
unnecessary  suffering,  proportionality  and  discrimination  of  military  targets  from  civilian 
sites  apply  in  cyberspace.®^  In  the  opening  scenario,  USCYBERCOM  would  require  a 
legal  determination  of  an  armed  attack  based  on  attribution  and  intent  in  order  to 
respond.  The  appropriate  response  would  be  tested  against  the  LOAC. 

The  second  imperative  is  that  intelligence  must  clearly  quantify  threat 
capabilities,  intent,  and  vulnerabilities  to  facilitate  the  decisions  of  key  stakeholders. 

One  of  the  mission  objectives  of  the  US  National  Intelligence  Strategy  (NIS)  is  to 
“enhance  cybersecurity."®®  The  NIS  further  emphasizes  that  one  of  the  ways  the 
intelligence  community  does  this  is  “by  expanding  our  knowledge  of  the  capabilities, 
intentions,  and  cyber  vulnerabilities  of  our  adversaries.”®® 

As  stated  above,  stakeholders  must  decide  what  level  of  risk  is  acceptable  in 
cyber-security  based  on  the  threat.  In  order  to  do  this,  they  must  understand  the  threat’s 
capabilities  and  intent.  The  United  States  has  a  diverse  set  of  networks  that  vary  from 
separate  and  secure  classified  DoD  networks  to  Internet-based,  privately-owned,  critical 
infrastructure  networks.  Understanding  the  threat’s  cyberspace  capabilities  against  the 
various  networks  in  the  United  States  and  their  intent  for  using  those  capabilities  helps 
guide  stakeholders’  decisions  on  what  security  measures  to  take  for  networks  as  well  as 
the  amount  of  federal  regulation  required  for  the  nation’s  critical  infrastructure.  The 
United  States  may  be  able  to  partner  with  nations  or  groups  that  possess  cyberspace 
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capabilities  but  no  harmful  intent  in  order  to  establish  international  norms  and  standards 
for  cyber-security.  Limited  resources  and  security  measures  are  necessary  to  defend 
against  threats  with  harmful  intent  but  no  cyberspace  capabilities.  In  this  case,  the 
United  States  can  focus  its  intelligence  to  ensure  the  threat  does  not  partner  with 
another  to  gain  cyberspace  capabilities  to  match  its  intent.  For  example,  in  the  opening 
scenario  the  United  States  should  have  focused  its  intelligence  collection  on  any 
attempts  by  Iran  to  gain  CNA  capabilities.  A  threat  that  possesses  both  intent  and 
capability  requires  the  highest  security  measures,  federal  regulation,  and  priority 
intelligence  monitoring. 

In  deciding  how  to  respond  to  a  computer  intrusion,  intelligence  can  provide 
decision  makers  with  a  better  understanding  of  the  threat’s  intent  and  vulnerability. 
Understanding  the  threat’s  intent  (i.e.  CNE  versus  CNA)  makes  a  difference  in  the  US 
response.  If  the  United  States  decides  to  respond  in  kind,  understanding  the 
adversary’s  cyberspace  vulnerability  becomes  important.  A  comprehensive  CNA  on  US 
infrastructure  would  require  extensive  planning  and  preparation. This  amount  of 
preparation,  surveillance,  and  testing  is  vulnerable  to  detection  if  intelligence  is 
sufficiently  focused  and  persistent  in  determining  capabilities  and  intent. 

As  previously  stated,  determining  attribution  is  very  difficult.  However,  attribution 
is  precisely  what  decision  makers  need  from  intelligence  for  both  prevention  and 
response.  The  NIS  emphasizes  that  the  intelligence  community  further  enhances  cyber¬ 
security  “by  increasing  our  ability  to  detect  and  attribute  adversary  cyber  activities.’’®^ 
Decision  makers  need  attribution  for  suspicious  computer  intrusions  and  CNE  to 
proactively  determine  the  true  nature  of  the  threat,  defend  networks,  and  prevent 
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potential  escalation  to  CNA.  Decision  makers  also  need  attribution  for  CNA  to  determine 
the  status  of  the  threat  and  attack  under  law  and  the  appropriate  response.  In  the 
opening  scenario,  USCYBERCOM  could  have  made  a  recommendation  on  the 
appropriate  response  if  attribution  of  the  CNA  was  clear. 

This  problem  of  attribution  contributes  to  the  third  intelligence  imperative,  which 
is  that  network  analysis  is  important  in  order  to  determine  the  true  source  of  the  threat. 
While  certain  members  of  the  intelligence  community  have  made  great  progress  in 
using  network  analysis  methods,  progress  is  sporadic  across  the  community  as  a 
whole. The  intelligence  community,  whether  associated  with  military  or  law 
enforcement  organizations,  should  be  investing  in  data  mining  and  link  analysis 
technologies  and  training.  Data  mining  is  generally  used  to  determine  anomalies  while 
link  analysis  finds  commonalities.®^  These  network  analysis  technologies  can  exploit 
large  amounts  of  data  and  have  proven  to  be  powerful  tools  in  determining  affiliations 
and  linkages  while  also  highlighting  the  absence  of  linkages.  For  example,  scientists  at 
the  Massachusetts  Institute  of  Technology  conducted  an  experiment  in  which  they  were 
able  “to  use  network  analysis  to  determine  the  sexual  orientation  of  Facebook  users 
even  though  these  users  had  not  disclosed  their  preferences  publicly.”®"^ 

Flackers  conducting  computer  intrusions  have  social  networks  that  can  be 
charted  and  analyzed  to  effectively  determine  their  linkages.  The  linkages  could  turn  up 
associations  with  other  hackers,  hactivists,  and  insiders,  or  in  some  cases  criminal 
groups,  terrorists,  or  foreign  government  agents  directing  the  activity.  For  example,  in 
the  opening  scenario,  NSA  successfully  employed  network  analysis  to  determine 
Iranian  government  and  Russian  hacker  associations.  An  absence  of  key  linkages  is 
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also  important  because  it  can  indicate  an  individual  is  less  of  a  threat  and  not  directed 
by  criminal  groups,  terrorists,  or  a  foreign  nation. 

Intelligence  analysts  can  focus  on  key  indicators  that  can  be  tracked  through 
network  analysis.  As  previously  noted,  terrorist  groups  are  making  extensive  use  of  the 
Internet  for  strategic  communications  and  recruiting  but  appear  to  have  limited  CNA 
expertise.  There  are  a  limited  number  of  hackers  with  high-level  expertise.  Monitoring 
the  social  networks  and  movement  of  these  individuals  can  indicate  when  a  foreign 
nation,  terrorist  or  criminal  group  is  recruiting  a  hacker  for  training,  preparation,  or  an 
actual  attack.®^  For  example,  in  the  opening  scenario,  the  HUMINT  report  on  the 
Russian  hacker’s  travels  should  have  triggered  further  intelligence  collection  to  confirm 
the  hacker’s  activities  in  Iran.  Studies  have  shown  that  terrorist  and  criminal  groups 
share  technology  and  expertise  for  reasons  more  related  to  profit  and  gaining 
operational  capability  than  ideological  similarities.®®  Analysts  can  monitor  hacker  and 
terrorist  chat  rooms  and  web  sites  to  determine  linkages  between  the  two  and  their 
potential  sharing  of  technology  and  expertise.®^ 

The  fourth  intelligence  imperative  is  that  an  all-source  approach  is  necessary. 
This  is  directly  tied  into  the  problem  of  attribution  and  network  analysis.  Because 
cyberspace  resides  in  the  signals  intelligence  (SIGINT)  discipline,  it  would  be  very  easy 
to  look  at  this  solely  as  a  SIGINT  problem.  However,  telephony  and  computers  do  not 
have  all  the  answers.  Individuals  with  expertise  in  computer  intrusions  also  generally 
have  expertise  conducting  those  intrusions  in  a  way  that  electronically  attributes  the 
intrusions  to  another  individual’s  computer  using  botnets.  Thus,  it  would  be  very  easy  to 
make  a  false  attribution  using  single-source  SIGINT.  Bringing  other  intelligence 
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disciplines  into  the  analysis  should  help  capture  such  inconsistencies,  as  well  as 
possibly  show  linkages  not  seen  through  SIGINT.  In  fact,  the  NIS  specifically 
emphasizes  the  need  to  integrate  Cl  with  cyberspace  to  protect  critical  infrastructure.^® 
All  intelligence  disciplines  can  be  used  for  collection  on  both  foreign  and  domestic 
threats.  The  collection  must  be  done  by  the  intelligence  agencies  with  the  correct 
foreign  or  domestic  collection  authorities  under  legal  advice  as  discussed  in  the  first 
intelligence  imperative. 

An  all-source  approach  complicates  the  technology  aspect  of  network  analysis 
because  HUMINT,  imagery  intelligence  (IMINT),  and  Cl  come  in  various  information 
formats  that  differ  significantly  from  SIGINT.  Data  mining  and  link  analysis  technologies 
generally  have  limitations  in  handling  non-structured  formats  that  combine  different 
types  of  information,  like  text  and  video.  However,  there  have  been  significant  advances 
in  tagging  these  formats  for  data  mining,  and  the  intelligence  community  needs  to 
continue  to  develop  this  capability  in  order  to  provide  more  comprehensive  network 
analysis.  In  the  opening  scenario,  better  tagging  of  HUMINT  may  have  allowed  for  its 
integration  with  SIGINT  during  network  analysis  to  connect  the  dots  on  the  Russian 
hacker-lran  connection. 

The  fifth  imperative  is  that  intelligence  sharing  must  be  improved  both  within  the 
intelligence  community  and  with  key  stakeholders.  Having  just  highlighted  the 
importance  of  a  comprehensive  all-source  intelligence  approach,  it  is  crucial  to  share 
intelligence  between  the  multiple  stakeholders  involved  in  order  to  improve  detection 
and  attribution.  Additionally,  intelligence  sharing  is  especially  important  to  get  domestic 
and  foreign  intelligence  into  the  hands  of  those  intelligence  agencies  and  stakeholders 
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with  the  correct  legal  authorities  for  response  as  noted  in  the  first  imperative.  The 
opening  scenario  highlighted  problems  with  information  sharing  since  the  CIA’s 
assessment  of  Iran  as  having  intent  with  no  capability  was  not  informed  by  the  SIGINT 
from  NSA  and  HUMINT  from  DoS.  The  NIS  recognizes  this  imperative  with  enterprise 
objectives  to  “strengthen  partnerships”  and  “improve  information  integration  and 
sharing.”®®  According  to  the  Comprehensive  National  Cybersecurity  Initiative  (CNCI), 
ODNI  has  responsibility  to  “connect  current  cyber  centers  to  enhance  cyber  situational 
awareness  and  lead  to  greater  integration  and  understanding  of  the  cyber  threat.”^®® 

Activities  like  the  Cyber  Storm  series  of  exercises  conducted  by  DHS  have 
improved  intelligence  sharing  with  13  countries,  1 1  states,  and  seven  cabinet-level 
federal  agencies  which  participated  in  the  latest  Cyber  Storm  III  exercise. However, 
there  is  still  room  for  improvement.  The  exercise  report  from  the  Cyber  Storm  III 
exercise  specifically  cited  that  “exchanging  and  sharing  classified  information  among 
organizations  proved  to  be  a  challenge.”^®® 

Conclusion 

The  issues  of  cyberspace  law  are  complex  and  unlikely  to  be  resolved  any  time 
soon.  Although  efforts  like  the  CoECC  and  UN  WGIG  represent  progress  in 
international  cooperation  on  the  development  of  cyberspace  standards  and  norms,  most 
of  this  progress  is  in  the  area  of  defining  cyber-crime  rather  than  cyber-war.  Given  US 
interests  in  protecting  privacy  rights,  the  issues  related  to  attribution  will  also  endure. 
However,  stakeholders  require  timely  and  accurate  intelligence  in  order  to  make 
decisions  on  the  legal  status  of  a  computer  intrusion  and  its  source  as  well  as  the 
appropriate  response,  whether  criminal  prosecution  or  military  action. 
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The  five  intelligence  imperatives  proposed  in  this  paper  are  not  panaceas  but 
would  greatly  reduce  the  risk  of  the  opening  scenario  ever  happening  in  the  United 
States.  Applying  these  intelligence  imperatives  facilitates  decisions  and  mitigates  risk. 
Comprehensive  network  analysis  and  using  an  all-source  intelligence  analytical 
approach  would  assist  with  quantifying  threat  capabilities  and  intentions,  thereby 
facilitating  detection,  prevention,  attribution,  and  decision  making.  Increased  intelligence 
sharing  supports  the  all-source  approach,  facilitates  collaboration  between  law 
enforcement  and  the  military,  and  provides  a  common  operating  picture  to  all 
stakeholders.  Finally,  embedding  experienced  legal  advisors  into  intelligence 
organizations  involved  in  cyberspace  activities  will  facilitate  quicker  determinations  of 
legal  status  and  appropriate  responses  by  the  agencies  with  the  proper  legal  authorities. 
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